Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Chef Summit London: InSpec Keynote

Chef Summit London: InSpec Keynote

Christoph Hartmann

October 16, 2018
Tweet

More Decks by Christoph Hartmann

Other Decks in Technology

Transcript

  1. Christoph Hartmann
    Alex Pop
    Co-Creator InSpec, Engineering Director
    Twitter: @chri_hartmann
    Github: chris-rock
    Software Engineer
    Twitter: @al3xpop
    Github: alexpop

    View full-size slide

  2. InSpec Updates
    Alex Pop & Christoph Hartmann

    View full-size slide

  3. Agenda
    ● InSpec Overview
    ● Project Community Update
    ● Demo 1: Profile and Control Improvements
    ● Demo 2: Extensions and Integrations
    ● InSpec Outlook
    ● Q & A

    View full-size slide

  4. InSpec Overview
    ● Show of hands
    ● Open-source framework with:
    ○ a simple language to describe tests
    ○ local & remote execution engine
    ○ flexible reporting
    ● Used primarily for infrastructure and compliance testing

    View full-size slide

  5. Audience
    DevOps Security
    Compliance

    View full-size slide

  6. Security
    Heartbleed Shellshock WannaCry

    View full-size slide

  7. Mapping of Compliance Document to InSpec

    View full-size slide

  8. InSpec Achievements

    View full-size slide

  9. InSpec Timeline
    Initial Version
    April 9th, 2015 November 3th 2015
    InSpec
    0.9
    September 26th 2016
    InSpec
    1.0
    February 20th 2018
    InSpec
    2.0

    View full-size slide

  10. Project Health
    207 Contributors 36 days issue
    resolution time
    626 total releases
    (one per week)

    View full-size slide

  11. Project Health (Commits per Week)

    View full-size slide

  12. Project Health (Stargazers)

    View full-size slide

  13. Operating System Support
    Amazon Linux CentOS HP UX
    IBM AIX RHEL SLES Ubuntu Windows
    Debian
    Cisco IOS

    View full-size slide

  14. Cloud Platform Support
    ● Integrated in Azure Shell, Part of Azure Policy's Guest Configuration
    ● Integrated into AWS EC2 Run Command
    ● InSpec integrates with PowerClI

    View full-size slide

  15. Platform Resources are managed in Resource Packs
    Profile 1 Profile 2
    Resource Pack
    ● Resource improvements are managed
    independently from InSpec’s runtime
    ● Easier to support new platforms
    ● Makes management of runtime
    independent from the the user of the
    runtime

    View full-size slide

  16. New: Support for Google Cloud Platform
    github: inspec/inspec-gcp

    View full-size slide

  17. InSpec helps to shift security concerns to the left
    Compliance
    DevOps

    View full-size slide

  18. InSpec 3
    :shipit:

    View full-size slide

  19. Demo:
    Profile & Control Improvements

    View full-size slide

  20. InSpec’s Extension Mechanism (Current)
    My CIS L1
    (inspec overlay)
    CIS Lvl1
    (inspec)
    DevSec Windows
    Patch
    Baseline
    DevSec Linux
    Baseline
    DevSec Windows
    Baseline
    DevSec Linux Patch
    Baseline
    Profile 1 Profile 2
    Resource Pack
    Profile Inheritance Wrapper Profiles Resource Packs

    View full-size slide

  21. InSpec’s Extension Mechanism
    Provisioning Verification

    View full-size slide

  22. InSpec’s Extension Mechanism
    CLI and Platform
    Plugins
    Terraform Provisioner
    Plugin
    terraform plugin github: inspec/terraform-provisioner-inspec
    inspec terraform cli plugin github: inspec/inspec-iggy

    View full-size slide

  23. ● Digitalocean Resource Pack
    ● Digitialocean Platform Plugin
    Digitalocean Extensions for InSpec

    View full-size slide

  24. Demo 2
    Extensions & Integrations

    View full-size slide

  25. InSpec’s Extension Mechanism
    Provisioning Verification

    View full-size slide

  26. InSpec Wrap-up
    ● Improvements for advanced profile handling, scalability and easier
    profile editing
    ● Improved reporting for aggregated profiles
    ● Extended cloud resources
    ● Google Cloud and Digitalocean resource pack
    ● Improved Terraform InSpec integration

    View full-size slide

  27. InSpec Outlook
    ● Priorities are based on issues and community feedback
    ● Identified areas for improvement
    ○ Simplified usage of resource packs
    ○ Improved resource lifecycle handling (alpha, stable, deprecated)
    ○ Ensure consistent behaviour for unavailable resources
    ○ Improve profile inheritance with namespaced attributes
    ○ Centralized deprecation behavior across inspec

    View full-size slide

  28. OpenSource Resources
    inspec.io
    • Hands on tutorials
    • Extensive documentation
    • Code examples
    dev-sec.io
    • Chef Cookbooks
    • InSpec Baselines

    View full-size slide

  29. Chef Automate ships with over 100 CIS Profiles

    View full-size slide

  30. Plugins
    ● Support for InSpec CLI and Platform plugins
    ○ CLI https://github.com/inspec/inspec-iggy
    ○ Backend https://github.com/inspec/train-digitalocean
    ● Resource Packs for Platforms
    ○ https://github.com/chris-rock/inspec-digitalocean
    ● See https://github.com/inspec/inspec/issues/3089 for more
    details

    View full-size slide

  31. Unified attributes (1/2)
    Instead of re-defining InSpec attributes in each test file:
    --> control1.rb
    user = attribute('user', default: 'alice', description:
    '...')
    ...
    --> control2.rb
    user = attribute('user', default: 'alice', description:
    '...')

    View full-size slide

  32. Unified attributes (2/2)
    Attributes are defined in the inspec.yml:
    attributes:
    - name: user
    default: alice
    required: true
    See https://github.com/inspec/inspec/issues/3176

    View full-size slide

  33. Skip overhaul
    ● "Skip" is currently used to identify cases where a control cannot run:
    ○ The user doesn't want it to run when inheriting the profile
    Example: Use your colleague's AWS profile but skip all controls that test S3.
    ○ The control isn't run when certain conditions are met.
    For example don't test MySQL if it isn't installed.
    ○ A control is skipped if it uses resources that are not supported on the target system. For
    example looking for a "package" when testing an API.
    ● See https://github.com/inspec/inspec/issues/3158 for more details

    View full-size slide

  34. Severity
    Prior to InSpec 3, severity was a numerical value
    that is implicitly scaled as:
    0.0 Informational
    <0.4 Minor controls
    <0.7 Major controls
    <=1.0 Critical controls
    We can now be more descriptive and use the
    CVSS values: low, medium, high, critical
    See
    https://github.com/inspec/inspec/issues/562
    control 'one' do
    impact 1.0
    control 'one' do
    impact 'critical'

    View full-size slide

  35. Multiple description types (1/2)
    We often see descriptions like the following in our controls:
    desc '
    This is a very long description.
    Rational: Why we do this…
    Fixtext: How to fix it…
    '
    This doesn’t expose the context of the description, e.g. the “rational” or
    “fixtext”.

    View full-size slide

  36. Multiple description types (2/2)
    By using an identifier for the descriptions, users can provide more context:
    desc '
    This is a very long description.
    '
    desc 'rational': 'Why we do this...'
    desc 'fixtext' : 'How to fix it...'
    See https://github.com/inspec/inspec/issues/1695

    View full-size slide